b'PROCESSING CLASSIFIED INFORMATION\n  ON PORTABLE COMPUTERS IN THE\n      DEPARTMENT OF JUSTICE\n\n\n\n\n        U.S. Department of Justice\n      Office of the Inspector General\n               Audit Division\n\n           Audit Report 05-32\n               July 2005\n\x0c           PROCESSING CLASSIFIED INFORMATION\n             ON PORTABLE COMPUTERS IN THE\n                 DEPARTMENT OF JUSTICE\n                          EXECUTIVE SUMMARY\n\n       This Office of the Inspector General audit examines the policies and\npractices in the Department of Justice (DOJ or Department) regarding\nclassified information on portable computers. Our audit objectives were to:\n(1) review the Department\xe2\x80\x99s policies and practices concerning the storage of\nclassified information on portable computers, and (2) determine whether\nmore effective practices could be adopted by the Department to enhance the\nability to process classified information on portable computers while\nadequately safeguarding the information.\n\n      To accomplish our objectives, we interviewed the Department\xe2\x80\x99s Deputy\nChief Information Officer; the Assistant Director of the Security and\nEmergency Planning Staff (SEPS); and information technology (IT) security\npersonnel from the Drug Enforcement Administration (DEA), the Federal\nBureau of Investigation (FBI), and the Executive Office for United States\nAttorneys (EOUSA). In addition, we interviewed IT security personnel from\nthe Central Intelligence Agency (CIA), the National Security Agency, the\nNational Reconnaissance Office (within the Department of Defense), and the\nDepartment of Energy. We also analyzed both government-wide policy and\nDOJ policy as they relate to the processing of classified information on\nportable computers.\n\n\nGovernment-wide Policy\n\n      Three organizations have responsibility for developing\ngovernment-wide policy related to the certification and accreditation of IT\nsystems.1 The Federal Information Security Management Act (FISMA)\ndelegates policy development and oversight to the National Institute of\nStandards and Technology (NIST) for information systems other than\nnational security systems. Executive Order 13231, Critical Infrastructure\n\n       1\n          Certification and accreditation is a comprehensive evaluation of the technical and\nnon-technical security features and other safeguards in place on a system. The certification\nis made as part of and in support of the accreditation process. The certification process\nvalidates that appropriate safeguards have been implemented on the system. The process\nculminates in the accreditation of the system (permission for the system to operate).\n\n                                              i\n\x0cProtection, requires the Committee on National Security Systems (CNSS) to\ndevelop policy over national security systems that store, process, or transmit\nclassified information.2 In addition, Executive Orders 12333 and 12958\ndelegates to the CIA the responsibility for developing policy related to\nprocessing Sensitive Compartmented Information.3 Based on Executive\nOrders, the CNSS and the CIA are the ultimate authorities on how Classified\nNational Security Information and Sensitive Compartmented Information are\nto be processed on computers within the DOJ and throughout the federal\ngovernment. The policies developed by these organizations cover all IT\nsystems, including portable computers.\n\n\nDOJ Policy\n\n      DOJ Order 2640.2E establishes uniform policy, responsibilities, and\nauthorities for the implementation and protection of the DOJ\xe2\x80\x99s IT systems\nthat store, process, or transmit classified and unclassified information. The\nOffice of the Chief Information Officer and SEPS developed policy based on\nauthority derived from DOJ Order 2640.2E.\n\n      The Department\xe2\x80\x99s Chief Information Officer issued 18 Information\nTechnology Security Standards for DOJ systems that process classified and\nunclassified information. The 18th standard, titled Information Technology\nSecurity Standard, Management Controls, 1.6 Classified Laptop and\nStandalone Computers Security Policy (Standard 1.6), established uniform\nIT security management controls for classified laptop (portable) and\nstandalone computers storing, processing, or transmitting National Security\nInformation in the DOJ.\n\n      Policy issued by SEPS, titled the Security Program Operating Manual\n(SPOM), provides guidance for the safeguarding of classified information.\nThe SPOM applies to classified information, the facilities authorized to store\nthe information, security controls, and security clearance requirements for\nemployees.\n\n\n\n       2\n          The CNSS is the policy making body for all issues concerning the security of\nnational security systems for the federal government. See Appendix II for a list of the\nvoting members on the committee.\n       3\n          Sensitive Compartmented Information is classified information concerning or\nderived from intelligence sources, methods, or analytical processes, which is required to be\nhandled exclusively within formal access control systems established by the Director of\nCentral Intelligence.\n\n                                              ii\n\x0cAudit Results\n\n       Our audit disclosed areas where improvements can be made to the\ncurrent DOJ policy and practices relating to storing, processing, or\ntransmitting classified information on portable computers. Specifically, we\nfound Standard 1.6 includes inappropriate and confusing references and is\nincomplete in providing guidance and instructions. Further, we identified\ninnovative practices to improve the use of portable computers for processing\nclassified information while adequately safeguarding classified information.\n\n     Standard 1.6\n\n       We identified three areas of concern with DOJ policy Standard 1.6.\nFirst, although Standard 1.6 was written to address the processing of\nclassified information, it uses references to policies that do not apply to\nportable or standalone computers that process, store, or transmit classified\ninformation. For example, Standard 1.6 refers to Office of Management and\nBudget Circular A-130, Revised, (Transmittal Memorandum No. 4;\nSubject: Management of Federal Information Resources); Federal\nInformation Processing Standards Publication 197, Advanced Encryption\nStandard (FIPS 197); DOJ Order 2620.7, Control and Protection of Limited\nOfficial Use Information; 5 CFR Part 930, Training Requirement for the\nComputer Security Act; and 18 U.S.C. 2510, Electronic Communications\nPrivacy Act. These documents relate to unclassified information. Policies for\nsystems that process unclassified information have no authority over\nsystems that store, process, or transmit classified information and,\ntherefore, should be omitted from the guidance. Inclusion of inappropriate\nreferences in this Standard may confuse employees and lead to\nimplementation of incorrect practices.\n\n      Second, Standard 1.6 does not address the systems that process\nClassified National Security Information and Sensitive Compartmented\nInformation separately, as those systems are subject to policies that are\nderived from different authorities. Despite unique and specific guidance\nregarding Classified National Security Information and Sensitive\nCompartmented Information, stipulated by Presidential delegated\ngovernment-wide authorities, Standard 1.6 does not differentiate between\nthe two types of information or provide separate processing requirements for\ninformation classified under these distinct designations.\n\n      Third, we found that Standard 1.6 includes incomplete guidance and\ninstructions. For example, it states that classified portable computers may\nnot be connected to external systems, networks, or communication devices.\nHowever, the Deputy Chief Information Officer informed us that classified\nportable computers can be connected to classified networks if the approval\n                                       iii\n\x0cto do so is documented in the security plan for the certification and\naccreditation of the network. Standard 1.6 needs to be updated to clarify\nthis exception.\n\n       Another example of incomplete guidance and instructions in\nStandard 1.6 concerns two of its attachments. Attachment 2 (Security\nAcknowledgment Statement for System Administrators) is not referred to in\nthe body of the policy; therefore its intended purpose and usage is unclear.\nAttachment 5 (Sample Classified Computer Usage Log) also is not referred\nto in the body of the policy and contains no instructions for its completion or\nthe retention period for the log.\n\n     Increasing Efficiency When Processing Classified Information\nin Portable Computers\n\n       Our audit also identified several ways for the Department to more\nefficiently and economically store, process, and transmit classified\ninformation in portable computers.\n\n      Removable Hard Drives. Standard 1.6 allows for the use of portable\ncomputers with removable hard drives when processing classified\ninformation. However, it does not explicitly authorize the use of two hard\ndrives, one for classified information and one for unclassified information, in\na single portable computer. We asked officials from the EOUSA, DEA, and\nFBI: (1) if their agencies authorized the use of portable computers with\nremovable hard drives, one to process classified and another to process\nunclassified on the same computer, and (2) if not, whether they would\nconsider the feature worthwhile. Officials from all three agencies responded\nnegatively to the first question. The responses to the second question\nvaried between the agencies. EOUSA responded that the issue does come\nup and it would probably be worthwhile to pursue as long as users\nunderstand the applicable security requirements. The DEA responded that\nwhile the feature would have fiscal advantages, the risk of procedural errors\nsuch as forgetting to exchange removable hard drives for the appropriate\ntype of information processing, could negate the utility of interchanging hard\ndrives. The FBI responded that the feature could be worthwhile, but it would\nneed to evaluate any proposed use of removable hard drives based on the\noperational need, technical configuration of the system, and other mitigating\nfactors through the certification and accreditation process.\n\n      We also contacted agencies outside of the DOJ to discuss their policies\nwith respect to removable hard drives.4 Except for the Department of\n\n      4\n        The CIA, the National Security Agency, the National Reconnaissance Office, and\nthe Department of Energy.\n                                           iv\n\x0cEnergy, these agencies process both classified and unclassified information\nby using portable computers with two separate removable hard drives \xe2\x80\x94 one\nhard drive for processing classified information and the other for processing\nunclassified information.5\n\n     In our view, the use of removable hard drives is an area that the\nDepartment should consider.\n\n      Type Accreditations. The concept of type accreditations, defined by\nthe Chief Information Officer in Standard 1.6 for portable and standalone\ncomputers, is an abbreviated accreditation process for classified portable\nand standalone computers that can be used in lieu of a full certification and\naccreditation process.6 The Chief Information Officer developed this\napproach to limit the unnecessary duplication of the full certification and\naccreditation requirements. However, Standard 1.6 does not document the\nprocess that DOJ components should use to request type accreditations for\nnew computer configurations.\n\n       Encryption. Encryption of the hard drive is a safeguard required by\nthe Committee on National Security Systems that can help protect classified\ninformation from unauthorized use if a portable computer or hard drive is\nlost or stolen. Encryption involves a set of mathematically expressed rules\nfor rendering data unintelligible to an unauthorized user. Standard 1.6 does\nnot explicitly require the use of the encryption standard specified by the\nCommittee on National Security Systems.\n\n      Limited Data on Hard Drives.\n\x0cor stolen. If such devices were installed, a lost or stolen computer could\nmore easily be located.\n\n\nRecommendations\n\n       We made 12 recommendations to assist the Department in improving\nthe storing, processing, and transmitting of classified information on\nportable computers. For example, we recommend a revision of Standard 1.6\nin order to remove any references to statute, policy, or procedures that are\nnot applicable to processing classified information, indicate what policy\napplies when classified portable computers are allowed to be connected to\nclassified networks, and address systems that process Classified National\nSecurity Information independently from those that process Sensitive\nCompartmented Information.\n\n       We also recommend that the Department consider the use of\nremovable hard drives for processing both classified and unclassified\ninformation on the same portable computer by using two separate\nremovable hard drives. This would require that the hard drive become the\nclassifiable device instead of the portable computer and that appropriate\nsecurity safeguards be developed. Additional recommendations relate to the\nuse of encryption, tracking devices, and the sending of alerts to systems\nadministrators when classified devices are improperly connected to the\nInternet.\n\n\n\n\n                                      vi\n\x0c                             TABLE OF CONTENTS\n\n                                                                                               Page\n\nINTRODUCTION .................................................................................1\n    Government-wide Policy on the Certification and Accreditation of IT\n     Systems .................................................................................. 2\n    DOJ Policy.................................................................................. 4\n\nFINDINGS AND RECOMMENDATIONS.................................................7\n\n1.     STANDARD 1.6 HAS INAPPROPRIATE REFERENCES AND IS\n       INCOMPLETE .............................................................................7\n       Inappropriate References in Standard 1.6....................................... 8\n       Separate Authority Governing Classified National Security Information\n        and Sensitive Compartmented Information ................................... 9\n       Incomplete Guidance and Instructions ......................................... 10\n       Conclusion ............................................................................... 11\n       Recommendations..................................................................... 11\n\n2.     INCREASING EFFICIENCY WHEN PROCESSING CLASSIFIED\n       INFORMATION ON PORTABLE COMPUTERS .............................13\n       Removable Hard Drives and Operating System.............................. 13\n       Type Accreditations ................................................................... 16\n       Safeguards for Lost or Stolen Computers ..................................... 16\n       Labeling Requirements for Classified Information Media ................. 18\n       Recommendations..................................................................... 18\n\nSTATEMENT ON INTERNAL CONTROLS.............................................20\n\nAPPENDICES....................................................................................21\n    Appendix I - Objectives, Scope, and Methodology ..................... 21\n    Appendix II - Voting Members of the Committee on National\n                       Security Systems ............................................. 22\n    Appendix III - Classified Laptop and Standalone Computers\n                       Security Policy, Standard 1.6 ............................. 23\n    Appendix IV - Chief Information Officer\xe2\x80\x99s Response to the Audit\n                       Recommendations ............................................ 48\n    Appendix V - Office of the Inspector General, Audit Division,\n                       Analysis and Summary of Actions Necessary\n                       to Close Report ................................................ 53\n\x0c        PROCESSING CLASSIFIED INFORMATION\n          ON PORTABLE COMPUTERS IN THE\n              DEPARTMENT OF JUSTICE\n                           INTRODUCTION\n\n      This Office of the Inspector General audit examines the policies and\npractices in the Department of Justice (DOJ or Department) for the\nprocessing of classified information in portable computers. Our approach for\nconducting this audit included: (1) interviewing officials from within and\noutside the Department about classified portable computing policies and\npractices and (2) examining government-wide and DOJ policy related to\nprocessing classified information.\n\n       During our initial discussions with the Department\xe2\x80\x99s Deputy Chief\nInformation Officer and the Assistant Director of the Security and Emergency\nPlanning Staff (SEPS), they identified DOJ components that process\nclassified information using portable computers. We selected the Drug\nEnforcement Administration (DEA), the Federal Bureau of Investigation\n(FBI), and the Executive Office for United States Attorneys (EOUSA) to\nexamine the use of portable computers for processing classified information.\n\n      We extended our interviews beyond the DOJ to determine how other\nfederal agencies address the storing and processing of classified information\nusing portable computers. We met with staff from SEPS and the Chief\nInformation Officer\xe2\x80\x99s office and discussed their knowledge of other federal\nagencies that process classified information on portable computers. Based\non their input, we interviewed Information Technology (IT) and security\npersonnel from the National Security Agency, the Central Intelligence\nAgency (CIA), and the Department of Energy. Based on input from the CIA,\nwe also contacted the National Reconnaissance Office within the Department\nof Defense. (See Appendix I for additional information on our objectives,\nscope, and methodology.)\n\n       Our original intention was to examine the policies and practices in the\nDOJ for the processing of classified information on portable computers.\nHowever, IT and security staff informed us that we should also review\ngovernment-wide policy that applies to all IT systems, whether they process\nclassified or unclassified information. Therefore, our audit includes a review\nof the following government-wide policy (National Institute of Standards and\nTechnology, Special Publication 800-37; Committee on National Security\nSystems, National Information Assurance Certification and Accreditation\nProcess; and the Director of Central Intelligence Directives, DCID 6/3) that\n\x0crequires all computer systems be certified before they can be placed in\noperation.\n\n\nGovernment-wide Policy on the Certification and\nAccreditation of IT Systems\n\n      The certification of an IT system involves a comprehensive evaluation\nof the technical and non-technical security features and other safeguards in\nplace on a system. The certification is made as part of and in support of the\naccreditation process. The certification process validates that appropriate\nsafeguards have been implemented on the system. The process culminates\nin the accreditation of the system (permission for the system to operate).\n\n      During our research, we identified the organizations that have the\nresponsibility to develop government-wide policy related to the certification\nand accreditation of IT systems. The policies cover all IT systems, including\nportable computers. As detailed in the following table, three organizations\nhave the responsibility to develop policy for the certification and\naccreditation of all IT systems.\n\n             Government-wide Certification and Accreditation Authority\n\n                                  Type of\n        Organization           Information                Source of Authority\n     National Institute of   Unclassified          Federal Information Security\n     Standards and                                 Management Act (FISMA)\n     Technology (NIST)                             (December 17, 2002)\n\n     Committee on            Classified National   Executive Order 13231\n     National Security       Security              (as amended September 17, 2003)\n     Systems (CNSS)7         Information (CNSI)\n\n     Central Intelligence    Sensitive             Executive Order 12333\n     Agency (CIA)            Compartmented         (as amended August 27, 2004) and\n                             Information (SCI)     Executive Order 12958 (as\n                                                   amended March 25, 2003)\n\n      The Federal Information Security Management Act (FISMA) delegates\npolicy development and oversight to the National Institute of Standards and\nTechnology (NIST) for information systems other than national security\nsystems. Certification and accreditation procedures for systems other than\n\n\n      7\n         See Appendix II for a complete list of the voting members of the Committee on\nNational Security Systems.\n\n                                            2\n\x0cnational security systems \xe2\x80\x94 unclassified systems (systems that process only\nunclassified information) \xe2\x80\x94 are documented in NIST Special Publication\n800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Systems.\n\n      To separate unclassified from classified systems, NIST Special\nPublication 800-59 includes six questions designed to determine whether the\nsystem meets the definition of a national security system. According to the\npublication, \xe2\x80\x9cIn order for a system to be designated a national security\nsystem, one of the following questions must be answered in the affirmative:\xe2\x80\x9d\n\n\xe2\x80\xa2     Does the function, operation, or use of the system involve intelligence\n      activities?\n\n\xe2\x80\xa2     Does the function, operation, or use of the system involve cryptologic\n      activities related to national security?\n\n\xe2\x80\xa2     Does the function, operation, or use of the system involve command\n      and control of military forces?\n\n\xe2\x80\xa2     Does the function, operation, or use of the system involve equipment\n      that is an integral part of a weapon or weapons system?\n\n\xe2\x80\xa2     Is the system critical to the direct fulfillment of military or intelligence\n      missions?\n\n\xe2\x80\xa2     Does the system store, process, or communicate classified\n      information?\n\nBased on the NIST policy, any system that stores, processes, or\ncommunicates classified information is a national security system and falls\nunder the jurisdiction of the Committee on National Security Systems.\n\n      Executive Order 13231, Critical Infrastructure Protection, identifies the\ngovernment-wide committees that develop policy for the protection of\ninformation systems. Based on Executive Order 13231, the Committee on\nNational Security Systems is responsible for policy over national security\nsystems. The Committee on National Security Systems has documented\nprocedures for the certification and accreditation of national security systems\nin the National Information Assurance Certification and Accreditation Process\n(NIACAP).\n\n      National security systems store, process, or transmit classified\ninformation as defined by Executive Order 12958, Classified National\n\n                                        3\n\x0cSecurity Information. The Order defines three levels of Classified National\nSecurity Information:\n\n\xe2\x80\xa2      Top Secret \xe2\x80\x94 classified information where the unauthorized disclosure\n       could reasonably be expected to cause exceptionally grave damage to\n       national security;\n\n\xe2\x80\xa2      Secret \xe2\x80\x94 classified information where the unauthorized disclosure\n       could reasonably be expected to cause serious damage to national\n       security; and\n\n\xe2\x80\xa2      Confidential \xe2\x80\x94 classified information where the unauthorized\n       disclosure could reasonably be expected to cause damage to national\n       security.\n\n       Executive Order 12333, United States Intelligence Activities, requires\nthat the Director of Central Intelligence, \xe2\x80\x9cEnsure the establishment by the\nIntelligence Community of common security and access standards for\nmanaging and handling foreign intelligence systems, information, and\nproducts.\xe2\x80\x9d In addition, Executive Order 12958, Section 4.3, delegates to the\nDirector of Central Intelligence authority over special access programs\npertaining to intelligence activities. Further, certification and accreditation of\nsystems used to process intelligence information, referred to as Sensitive\nCompartmented Information, is documented in Director of Central\nIntelligence Directive (DCID) 6/3.8\n\n      The policies developed by the Committee on National Security Systems\nand the CIA take precedence over the standards developed by the\nDepartment\xe2\x80\x99s Chief Information Officer for national security systems.\n\n\nDOJ Policy\n\n       When necessary, DOJ employees store, process, and transmit\nclassified information using portable computers. Employees may also\nprocess sensitive but unclassified information, send and receive e-mail, and\nobtain research data from the Internet on portable computers. Currently,\nemployees who process both classified and unclassified information must\nutilize two separate portable computers in order to accomplish their\n\n       8\n          Sensitive Compartmented Information is classified information concerning or\nderived from intelligence sources, methods, or analytical processes, which is required to be\nhandled exclusively within formal access control systems established by the Director of\nCentral Intelligence.\n\n                                             4\n\x0cassignments. Carrying two portable computers is necessary because the\ncurrent DOJ policy does not explicitly authorize the use of two hard drives,\none for classified information and one for unclassified information, in a single\nportable computer.\n\n      DOJ Order 2640.2E, titled Information Technology Security,\nestablishes uniform policy, responsibilities, and authorities for the\nimplementation and protection of DOJ\xe2\x80\x99s IT systems that store, process, or\ntransmit classified and unclassified information. The Assistant Director of\nSEPS and the Deputy Chief Information Officer described the distinction\nbetween the responsibilities of the two offices as the Chief Information\nOfficer being responsible for security of classified and unclassified IT systems\nand SEPS being responsible for security of the classified information.\n\n       The Department\xe2\x80\x99s Chief Information Officer issued 17 Information\nTechnology Security Standards between December 4, 2003, and January 30,\n2004, for DOJ systems that process classified and unclassified information.\nIn addition, an 18th standard was issued on August 19, 2004, titled\nInformation Technology Security Standard, Management Controls, 1.6\nClassified Laptop and Standalone Computers Security Policy (Standard 1.6).\nStandard 1.6 established uniform information technology security\nmanagement controls for laptop (portable) and standalone computers\nstoring, processing, or transmitting National Security Information in the\nDOJ.9 All IT systems in the DOJ that process classified information must be\ncertified and accredited in accordance with standards established by the\nDepartment\xe2\x80\x99s Chief Information Officer before the system can be used.\n\n        Policy issued by SEPS, titled Security Program Operating Manual\n(SPOM), revised November 5, 2004, provides guidance for the safeguarding\nof classified information. The SPOM applies to classified information,\nsecurity controls, security clearance requirements for employees, and the\nfacilities authorized to store the information.\n\n      Classified National Security Information cannot be processed in public\nareas or while being transported. According to the SPOM and DCID 6/9,\nsuch information can be processed in only four specific types of facilities \xe2\x80\x94 a\nSensitive Compartmented Information Facility (SCIF), a Temporary Secure\nWorking Area, an Open Storage Area, or a Restricted Area.\n\n\n\n\n       9\n          During this audit, we analyzed a draft copy of Standard 1.6 (Standard 1.3, version\n0.5), issued March 31, 2004, by the Office of the Chief Information Officer. We received a\ncopy of the final version of Standard 1.6 on September 8, 2004.\n\n                                             5\n\x0c       A SCIF is an accredited area, room, group of rooms, buildings, or\ninstallation where Sensitive Compartmented Information may be stored,\nused, discussed, and electronically processed. A Temporary Secure Working\nArea is a space where Sensitive Compartmented Information may be\nhandled, discussed, or processed, but should not be stored. SEPS oversees\ndesign and security of SCIFs and Temporary Secure Working Areas within\nthe DOJ, with the exception of the FBI who is responsible for the design and\nsecurity of SCIFs and Temporary Secure Working areas under its jurisdiction.\n\n       An Open Storage Area is used when the volume or bulk of classified\nmaterial is such that the use of security containers is not practical. When a\ncomponent determines that an Open Storage Area is necessary, its location\nand construction must be approved by the Department Security Officer. A\nRestricted Area can be established when it is necessary to control access to\nclassified material in an area not approved for open storage. All classified\nmaterial must be secured during non-working hours in approved security\ncontainers or vaults. Open Storage Areas and Restricted Areas are\naccredited by SEPS for the DOJ, with the exception of the FBI who is\nresponsible for the design and security of Open Storage Areas and Restricted\nAreas under its jurisdiction.\n\n       In Restricted Areas or Temporary Secured Working Areas, the user\nmust maintain constant possession of the hard drive containing classified\ninformation, or it must be locked in an approved security container. Further,\nif the hard drive cannot be removed from the computer, the computer must\nbe disconnected from its peripheral devices, i.e., a mouse, monitor,\nkeyboard, and printer, and locked in an approved security container when\nnot in use.\n\n\n\n\n                                     6\n\x0c           FINDINGS AND RECOMMENDATIONS\n\n      1.    STANDARD 1.6 HAS INAPPROPRIATE\n            REFERENCES AND IS INCOMPLETE\n\n\n            Standard 1.6 uses references to policies that were\n            written for unclassified IT systems. Standard 1.6\n            does not address systems that process Classified\n            National Security Information separately from\n            systems that process Sensitive Compartmented\n            Information. Furthermore, Standard 1.6 provides\n            incomplete guidance and instruction for network\n            connections, and two of its attachments are not\n            referred to in the body of the policy. We recommend\n            that Standard 1.6 be revised to reduce the difficulty\n            that DOJ components may have when attempting to\n            comply with Standard 1.6.\n\n       Standard 1.6 contains the following categories of specific requirements\nfor laptops and standalone computers that store, process, or transmit\nNational Security Information:\n\n\xe2\x97\x8f     Administrative Security\n\xe2\x97\x8f     Physical Security\n\xe2\x97\x8f     Personnel Security\n\xe2\x97\x8f     Identification and Authentication\n\xe2\x97\x8f     Audit Trail and Review\n\xe2\x97\x8f     Logical Access Control\n\xe2\x97\x8f     Password Management\n\xe2\x97\x8f     Software Security\n\xe2\x97\x8f     Telecommunications Security\n\xe2\x97\x8f     Media Security\n\xe2\x97\x8f     Continuity of Operations\n\xe2\x97\x8f     Incident Response\n\xe2\x97\x8f     Encryption\n\n      Standard 1.6 also contains seven attachments: a security\nacknowledgement statement for authorized end-users, a security\nacknowledgement statement for system administrators, hardware and\nsoftware configurations of classified laptop and standalone computers, a list\nof acronyms, a sample classified computer usage log, a sample classified\n\n\n                                      7\n\x0ccomputer maintenance log, and a classified laptop and standalone computer\ntechnical checklist (see Appendix III, pages 35-47 for specifics).\n\n      Our review of Standard 1.6 identified three primary areas of concern,\ndiscussed in greater detail below. Standard 1.6 uses references that apply\nto unclassified IT systems, does not address systems that process Classified\nNational Security Information separately from systems that process\nSensitive Compartmented Information, and provides incomplete guidance\nand instructions for several attachments.\n\n\nInappropriate References in Standard 1.6\n\n      Standard 1.6 uses references to policies that do not apply to portable\nor standalone computers that process, store, or transmit classified\ninformation (see Appendix III, page 29). The following five policy references\nused in Standard 1.6 do not apply to portable or standalone computers that\nprocess classified information:\n\n\xe2\x80\xa2    Office of Management and Budget Circular A-130, Revised,\n     (Transmittal Memorandum No. 4; Subject: Management of\n     Federal Information Resources) \xe2\x80\x94 This Circular discusses\n     national security systems, but states in the section titled\n     Applicability and Scope that, \xe2\x80\x9cInformation classified for national\n     security purposes should also be handled in accordance with the\n     appropriate national security directives.\xe2\x80\x9d Further, the Circular\n     states, \xe2\x80\x9cThe policies and procedures established in this Circular\n     will apply to national security systems in a manner consistent\n     with the applicability and related limitations regarding such\n     systems set out in Section 5141 of the Clinger-Cohen Act (Pub.\n     L. 104-106, 40 U.S.C. 1451).\xe2\x80\x9d The Clinger-Cohen Act relates to\n     the budget process for IT systems, not the processing of\n     classified information.\n\n\xe2\x80\xa2    Federal Information Processing Standards Publication 197,\n     Advanced Encryption Standard (FIPS 197) \xe2\x80\x94 FIPS 197 does not\n     apply to classified systems. The Standard states, \xe2\x80\x9cThis standard\n     may be used by Federal departments and agencies when an\n     agency determines that sensitive (unclassified) information (as\n     defined in P. L. 100-235) requires cryptographic protection.\xe2\x80\x9d\n     Rather than referencing FIPS 197 for encryption of classified\n     information on portable or standalone computers, the DOJ should\n     reference the methods prescribed by the Committee on National\n     Security Systems.\n\n                                     8\n\x0c\xe2\x80\xa2    DOJ Order 2620.7, Control and Protection of Limited Official Use\n     Information \xe2\x80\x94 The subject of DOJ Order 2620.7 is control and\n     protection of limited official use information. Therefore, it does\n     not apply to classified systems, and the reference to this order\n     should be deleted.\n\n\xe2\x80\xa2    5 CFR Part 930, Training Requirement for the Computer Security\n     Act \xe2\x80\x94 5 CFR Part 930 does not apply to classified systems. The\n     authority for the regulation, Public Law 100-235, is limited to\n     sensitive but unclassified information. Standard 1.6 should\n     instead refer to computer security training (IT Security Standard\n     2.8) and protection of classified information training (SPOM,\n     Chapter 3).\n\n\xe2\x80\xa2    18 U.S.C. 2510, Electronic Communications Privacy Act \xe2\x80\x94 This\n     Act discusses the interception of wire, electronic, and oral\n     communications. Standard 1.6 does not allow any type of\n     telecommunications for portable or standalone computers\n     processing classified information.\n\n      We believe the references that do not apply to portable or standalone\ncomputers that process classified information should be removed. Also, any\ninstructions provided in Standard 1.6 that were derived from those incorrect\nreferences should be deleted from the document. The Assistant Director of\nSEPS concurred with our position that unclassified references should not be\nused in standards for storing, processing, or transmitting classified\ninformation.\n\n\nSeparate Authority Governing Classified National Security\nInformation and Sensitive Compartmented Information\n\n      Standard 1.6 provides a uniform policy for portable and standalone\ncomputers that store, process, or transmit classified information (see\nAppendix III, page 25). However, there are two organizations outside the\nDOJ that have government-wide authority over the security of systems that\nstore, process, or transmit classified information. The Committee on\nNational Security Systems issued certification and accreditation policy for\nsystems that process Classified National Security Information. Further, the\nCIA issued certification and accreditation policy for systems that process\nSensitive Compartmented Information. Despite unique and specific\nguidance regarding Classified National Security Information and Sensitive\nCompartmented Information from these government-wide authorities,\nStandard 1.6 does not differentiate between the two or provide separate\n\n                                     9\n\x0cprocessing requirements for information classified under these distinct\ndesignations.\n\n      We believe that Standard 1.6 should address the systems that process\nClassified National Security Information and Sensitive Compartmented\nInformation separately, because those systems are subject to policies\ndeveloped by two separate government-wide authorities. SEPS, a voting\nmember of the Committee on National Security Systems for the Department\nof Justice (see Appendix II, page 22), agrees with our position.\n\n\nIncomplete Guidance and Instructions\n\n       We found three areas, described below, where the guidance and\ninstructions provided in Standard 1.6 are incomplete and therefore need\nrevision.\n\n       Lack of Instructions for Network Connections. Section 3.1,\nstates that, \xe2\x80\x9cNo external systems, networks, or communications devices\nmay be connected to classified laptop and standalone computers.\xe2\x80\x9d (See\nAppendix III, pages 30 and 31.) However, the Deputy Chief Information\nOfficer informed us that classified portable computers can be connected to\nclassified networks if the approval to do so is documented in the security\nplan for the certification and accreditation of the applicable network. Based\non that information, Standard 1.6 is not accurate regarding Department\npolicy on the connection of portable computers to external systems,\nnetworks, or communication devices. In our opinion, Standard 1.6 should\nnot provide a blanket prohibition, but should indicate what policies apply\nwhen classified laptop computers are authorized to be connected to\nclassified networks.\n\n      No Explanation of Security Configuration Tests. We asked the\nDeputy Chief Information Officer why Attachment 2, entitled \xe2\x80\x9cSecurity\nAcknowledgement Statement for System Administrators\xe2\x80\x9d (see Appendix III,\npages 37-39), requires that the System Administrator \xe2\x80\x9cmake the\ncomputer(s) available for reviews of the security configuration by\nindependent testers\xe2\x80\x9d and \xe2\x80\x9censure that the Certification Agent (CA) or a CA\nappointed agent validates system security at least annually.\xe2\x80\x9d The Deputy\nChief Information Officer stated that logistical and organizational issues\nconcerning certification and independent testing are being negotiated.\nHowever, Attachment 2 is not referred to in the body of Standard 1.6.\nTherefore, the process for reviews of the security configuration by\nindependent testers and a validation of system security by certification\nagents should be documented in the body of the policy.\n\n                                     10\n\x0c      No Instructions for Tracking Log. Attachment 5, \xe2\x80\x9cSample\nClassified Computer Usage Log\xe2\x80\x9d (see Appendix III, page 44), has no\ninstructions for completing the log. In addition, Standard 1.6 does not refer\nto the log or provide a retention period for the log. As written, either the\nend-user or the administrator must record every action taken on every\ndocument accessed, along with start and end times. As presented, we\nconsider the log to be unduly burdensome and in need of revision. The\nDeputy Chief Information Officer explained that there is a need for a manual\nrecord of the total time an individual was logged onto the classified system.\nWe understand the value of a tracking log, but the attachment will require\nmodification in order to capture only the required information, and\ninstructions will have to be prepared to inform the end-users and\nadministrators about how to complete the log and for how long it should be\nretained. The Deputy Chief Information Officer indicated that this issue\nwould be addressed in the next revision of Standard 1.6.\n\n\nConclusion\n\n      Standard 1.6 includes inaccurate and confusing references directed at\nunclassified systems, does not address systems that process Classified\nNational Security Information separately from Sensitive Compartmented\nInformation, and is incomplete in providing guidance and instructions. We\nbelieve that Standard 1.6 could be confusing to DOJ components and should\nbe revised to correct these deficiencies.\n\n\nRecommendations\n\n     We recommend that the Justice Management Division revise\nStandard 1.6 to:\n\n1.   Remove any references to statute, policy, or procedures that are not\n     applicable to processing classified information.\n\n2.   Address systems in accordance with policy from the Committee on\n     National Security Systems for Classified National Security Information\n     independently from the Director of Central Intelligence Directives for\n     Sensitive Compartmented Information.\n\n3.   Indicate what policy applies when classified portable computers are\n     allowed to be connected to classified networks.\n\n4.   Refer to Attachment 2 (Security Acknowledgement Statement for\n     System Administrators) in the body of the policy and delineate the\n                                    11\n\x0c     process for reviews of the security configuration by independent\n     testers and validation of the system security by certification agents.\n\n5.   Refer to Attachment 5 (Sample Classified Computer Usage Log) in the\n     body of the policy and provide written instructions for the preparation\n     and retention of the log.\n\n\n\n\n                                     12\n\x0c     2.    INCREASING EFFICIENCY WHEN PROCESSING\n           CLASSIFIED INFORMATION ON PORTABLE\n           COMPUTERS\n\n\n           The Department should consider modification of any\n           practices for processing classified information on\n           portable computers from those prescribed in\n           Standard 1.6. We believe that the DOJ\xe2\x80\x99s Chief\n           Information Officer should consider revising the\n           policy to allow for a variety of innovative features\n           and methods to enhance the ability of the DOJ to\n           accomplish its mission, while adequately securing its\n           classified information.\n\n      We met with four DOJ components (DEA, FBI, EOUSA, and Justice\nManagement Division) and four outside agencies (CIA, National Security\nAgency, National Reconnaissance Office, and the Department of Energy) to\ndetermine how they address the storage of classified information using\nportable computers and to determine whether more effective practices are\navailable to enhance security. All of the agencies contacted, with the\nexception of the DEA, store and process some of their classified information\non portable computers.\n\n      From discussions with those interviewed and our review of\nStandard 1.6 and the SPOM, we identified four security policy enhancements\nwe believe the Department should consider for classified portable computers.\nThe following sections describe those enhancements.\n\n\nRemovable Hard Drives and Operating System\n\n       We asked officials from the EOUSA, DEA, and FBI: (1) if their agency\nauthorized the use of portable computers with removable hard drives, one to\nprocess classified and another to process unclassified on the same computer,\nand (2) if not, whether they would consider the feature worthwhile. Officials\nfrom all three agencies responded negatively to the first question. The\nresponses to the second question varied among the agencies. The EOUSA\nresponded that the issue does come up and it would probably be worthwhile\nto pursue as long as users understand the applicable security requirements.\nThe DEA responded that while the feature would have fiscal advantages, the\nrisk of procedural errors such as forgetting to exchange removable hard\ndrives for the appropriate type of processing, could negate the utility of\n\n\n                                     13\n\x0cinterchanging hard drives.10 The FBI responded that the feature could be\nworthwhile, but it would need to evaluate any proposed use of removable\nhard drives based on the operational need, technical configuration of the\nsystem, and other mitigating factors through the certification and\naccreditation process.\n\n       Three of the four agencies we interviewed outside the DOJ process\nboth classified and unclassified information on the same computer by using\ntwo separate removable hard drives \xe2\x80\x94 one hard drive for processing\nclassified information and the other for processing unclassified information.11\n\n       We discussed the subject of removable hard drives with a major\nportable computer manufacturer who told us of at least two companies that\nsell 5-gigabyte (5,000 megabytes) removable hard drives. The drives are\npriced under $200 each. These drives are generally two inches wide by\nthree inches long, weigh less than two ounces, and fit into any \xe2\x80\x9cType II PC\nCard slot\xe2\x80\x9d in portable computers. As presented in the table below, we\nbelieve they have enough storage space for a multi-user operating system,\napplication software, and a reasonable amount of space for processing\nclassified information. The table illustrates one example of a portable\ncomputer\xe2\x80\x99s software configuration we believe would meet the needs of many\nof the DOJ\xe2\x80\x99s classified computer users. With the Chief Information Officer\xe2\x80\x99s\napproval, 5-gigabyte removable hard drives could be used on the DOJ\xe2\x80\x99s\nportable computers that process classified information. This computer\nconfiguration would allow both unclassified and classified information\nprocessing in the same portable computer.\n\n        Operating System and Application Software Minimum Requirements\n        Example of a Usable Software Configuration           Space Requirements\n                   Microsoft XP Professional                         230   megabytes\n                  Microsoft Office Professional                      600   megabytes\n                        Data Encryption                               15   megabytes\n                        Virus Detection                               16   megabytes\n                           Sub Total                                 861   megabytes\n                       Remaining Space                             4,139   megabytes\n      Source: Software company websites.\n\n       10\n           We believe that DEA\xe2\x80\x99s concern does not adequately consider that the SPOM\nrequires computers to contain banners reminding users of the classification for the system.\nThe SPOM states, \xe2\x80\x9cto avoid inadvertent compromises, removable hard drives used on IT\nsystems for unclassified and classified processing will utilize desktop backgrounds that\ndisplay classification banners at the top or bottom.\xe2\x80\x9d\n       11\n          The Department of Energy uses classified portable computers with removable\nhard drives but does not interchange an unclassified hard drive with the classified hard\ndrive. The other three agencies are the CIA, the National Security Agency, and the Nat\n\n                                            14\n\x0c       Using removable hard drives offers advantages for portable\ncomputers. Without removable hard drives, a user may be required to carry\ntwo portable computers while on a traveling assignment \xe2\x80\x94 one for handling\nclassified information, which requires it to be double-wrapped, and the other\nfor processing unclassified information, connecting to the Internet, and\nviewing e-mail.12 With removable hard drives, the user would be required to\ndouble wrap only the classified hard drive instead of the entire portable\ncomputer. In our opinion, a double-wrapped classified removable hard drive\nis an effective security enhancement, as it is easier to conceal and is less\nconspicuous due to its smaller size compared to a portable computer.\n\n       Although Standard 1.6 approves of removable hard drives\n(Appendix III, page 41), it does not specifically authorize the use of dual\nclassified and unclassified hard drives in the same portable computer.\nWithout removable hard drives, users processing classified information on a\nportable computer must disconnect all of the attached peripheral devices\nand secure the entire computer in an approved security container when it is\nto be left unattended. In contrast, with a removable hard drive a DOJ\nemployee merely has to remove the classified hard drive and secure it, not\nthe computer shell.\n\n       In order to enhance security of the classified information when using\nremovable hard drives, system administrators must define user profiles\nwithin the operating system for classified portable computers. For example,\nIT security personnel at the National Reconnaissance Office and National\nSecurity Agency told us that a multi-user operating system, such as\nMicrosoft Windows 2000 or XP, allows system administrators to define\ncomputer users\xe2\x80\x99 profiles and therefore restrict access to the computer\xe2\x80\x99s\ninput/output ports. Specifically, the access to the unclassified drive when\nthe removable classified hard drive is in use can be controlled by the\ndefinition of the user\xe2\x80\x99s profile. In addition, they also said that users\xe2\x80\x99 profiles\ncan allow access to Internet connections when the classified hard drive is not\nin use.\n\n      In our view, the use of removable hard drives that can process both\nunclassified and classified information in the same computer shell is an area\nthat the Department should consider.\n\n\n\n\n      12\n          Double wrap \xe2\x80\x94 classified information must be \xe2\x80\x9c\xe2\x80\xa6enclosed in two opaque layers;\nboth of which provide reasonable evidence of tampering and conceal the contents.\xe2\x80\x9d\n\n                                           15\n\x0cType Accreditations\n\n       The concept of type accreditations, defined by the Chief Information\nOfficer in Standard 1.6 for portable and standalone computers, is an\nabbreviated accreditation process for classified portable and standalone\ncomputers that can be used in lieu of a full certification and accreditation\nprocess (see Appendix III, page 30).13 The Chief Information Officer\ndeveloped this approach to limit the unnecessary duplication of the full\ncertification and accreditation requirements. The Department\xe2\x80\x99s Assistant\nDirector of SEPS stated that a type accreditation for classified portable and\nstandalone computers is an acceptable procedure.\n\n      Standard 1.6, Attachment 3 (Hardware and Software Configurations of\nClassified Laptop and Standalone Computers), defines three specific types of\ncomputer configurations: classified laptop computers, classified standalone\ncomputers, and computers with removable hard drives (see Appendix III,\npages 40-42). Each of the three specific types of computer configurations\ncontains a list of recommended hardware configurations, mandatory\nhardware features, and software configurations.\n\n       We believe that Standard 1.6 should allow the DOJ components more\nflexibility in the design of portable and standalone computer systems. The\nDeputy Chief Information Officer informed us that flexibility is built into the\ntype accreditation process. However, the process to obtain type\naccreditations for other configurations is not documented in Standard 1.6. A\nrevised Standard 1.6 should document the process for DOJ components to\nfollow when requesting computer configurations not specified in the\nStandard. Furthermore, Standard 1.6 should be written to allow the DOJ\ncomponents flexibility to incorporate innovative safeguards that do not\ncompromise security.\n\n\nSafeguards for Lost or Stolen Computers\n\n       Additional effective safeguards for classified computers and hard drives\nmay strengthen security by lowering the risk of unauthorized persons\ngaining access to classified information in the event a portable computer is\nlost or stolen.\n\n      For example, encryption of the hard drive is a safeguard that IT and\nsecurity personnel believe can reasonably protect classified information from\n\n\n      13\n           Accreditation of a system is the permission for an IT system to operate.\n\n                                             16\n\x0cunauthorized use if a portable computer is lost or stolen.14 As discussed on\npage 8, the Chief Information Officer\xe2\x80\x99s reference for encryption cites the\nFederal Information Processing Standard Publication 197 \xe2\x80\x94 Advanced\nEncryption Standard (Appendix III, page 29). Yet, FIPS 197 applies to\nunclassified systems, not classified systems, which is the focus of Standard\n1.6. Further, the Committee on National Security Systems has a Presidential\ndelegation for national security systems through Executive Order 13231.\nTherefore, we believe the Chief Information Officer should explicitly require\nthe use of the encryption standard specified by the Committee on National\nSecurity Systems when defining DOJ standards.\n\n      In addition to encryption, we identified three security enhancements\nthat the DOJ could use to protect classified information on portable\ncomputers. The following safeguards could help reduce the amount of\ndamage or decrease the chances of unauthorized individuals gaining access\nto classified data in the event a portable computer or hard drive is lost or\nstolen:\n\n\xe2\x97\x8f      Reduce the risk of unauthorized access to classified information while\n       the portable computer is in transit by limiting the amount of classified\n       information on the hard drive to the minimum amount of information\n       necessary to accomplish the mission. This safeguard, used by the\n       National Security Agency, reduces the amount of damage that can\n       occur if an unauthorized user gains access to the information.\n\n\xe2\x97\x8f      Program the computer\xe2\x80\x99s operating system to send a message to the\n       system administrator if the computer is connected to the Internet.\n       Connecting a classified computer to the Internet increases the risk that\n       unauthorized users may obtain access to classified information. The\n       National Reconnaissance Office uses this safeguard. Sending a\n       warning message to a system administrator would allow a DOJ\n       component to take steps to mitigate potential damage to national\n       security in the event of a security breach.\n\n\xe2\x97\x8f      Install an electronic device on the portable computer that can track or\n       locate the equipment using global positioning technology. If such a\n       device were installed, the computer could be tracked and located if it\n       was lost or stolen.\n\n      We believe that these security enhancements identified by IT and\nsecurity personnel should be considered by the Chief Information Officer\n\n\n       14\n           Encryption involves a set of mathematically expressed rules for rendering data\nunintelligible by executing a series of conversions controlled by a key.\n                                            17\n\x0cwhen drafting policy for portable computers processing classified\ninformation.\n\n\nLabeling Requirements for Classified Information Media\n\n      Current Department policy, in Chapter 8, Section 8-203, of the SPOM,\nspecifically states, \xe2\x80\x9cClassification Markings (Labels) must be displayed on all\ncomponents of an IT system that have the potential for retaining classified\ninformation.\xe2\x80\x9d The IT and security staff we interviewed at the National\nSecurity Agency indicated that the shell of a portable computer does not\nretain any retrievable data after removal of the computer\xe2\x80\x99s hard drive\ncontaining the operating system. The National Security Agency staff further\nsaid that once a computer is powered down, all data in the random access\nmemory is gone and cannot be retrieved, effectively sanitizing the computer\nshell. In our opinion, Standard 1.6 should specify that the shell does not\nremain classified after the classified hard drive is removed.\n\n       Using removable hard drives on classified portable computers would\nrequire creating a new label for the shell to indicate that the computer might\ncontain classified information, but is also cleared to process unclassified\ninformation. Therefore, the SPOM should be revised to describe the\nmarkings for this type of equipment. The Assistant Director of SEPS agreed\nwith our position on labeling the portable computer shell and indicated that\nthe change to the labeling requirement would occur during the next SPOM\nrevision.\n\n\nRecommendations\n\n      We recommend that the Justice Management Division:\n\n6.    Consider the use of removable hard drives for processing both\n      classified and unclassified information on the same portable computer\n      by using two separate removable hard drives. This would require that\n      the hard drive become the classifiable device instead of the portable\n      computer and that appropriate security safeguards be developed.\n\n7.    Document the process that gives DOJ components the flexibility to\n      incorporate safeguards through new type accreditations to protect\n      classified computers from unauthorized access.\n\n8.    Adopt the encryption standard specified by the Committee on National\n      Security Systems.\n\n                                      18\n\x0c9.    Consider enhancing security by writing policy to limit classified data on\n      a hard drive to what is necessary to accomplish the mission.\n\n10.   Consider enhancing security by programming the computer to send a\n      message to the system administrator if a computer with a classified\n      hard drive is connected to the Internet.\n\n11.   Consider enhancing security by installing an electronic device on\n      portable computers to track the equipment in the event it is lost or\n      stolen.\n\n12.   Create a new label for portable computers that indicates the computer\n      may contain classified information, but is also cleared to process\n      unclassified information.\n\n\n\n\n                                      19\n\x0c           STATEMENT ON INTERNAL CONTROLS\n\n      In planning and performing our audit of the Department of Justice\xe2\x80\x99s\npolicy on the use of classified information in portable computers, we did not\nassess the Department\xe2\x80\x99s internal controls over the processing of classified\ninformation on portable computers. Our audit was more limited than would\nbe necessary to express an opinion of the Department\xe2\x80\x99s internal control\nstructure over classified information as a whole.\n\n       Reportable conditions, as defined by the Government Auditing\nStandards, involve matters coming to our attention relating to deficiencies\nthat, in our judgment, could adversely affect the Department\xe2\x80\x99s controls over\nthe processing of classified information in portable computers. During this\naudit, we did not identify any reportable conditions that could adversely\naffect the Department\xe2\x80\x99s controls over the processing of classified\ninformation.\n\n       This statement is intended solely for information purposes and use by\nthe Department\xe2\x80\x99s management in their development of policy over the\nprocessing of classified information in portable computers. This usage\nrestriction is not intended to limit the distribution of this report, which is a\nmatter of public record.\n\n\n\n\n                                       20\n\x0c                                                                  APPENDIX I\n\n       OBJECTIVES, SCOPE, AND METHODOLOGY\n\n       Our audit objectives were to: (1) review the Department\xe2\x80\x99s policies and\npractices concerning the storage of classified information on portable\ncomputers, and (2) determine whether more effective practices could be\nadopted by the Department to enhance the ability to process classified\ninformation on portable computers while adequately safeguarding the\ninformation.\n\n      Our audit was performed in accordance with the Government Auditing\nStandards issued by the Comptroller General of the United States and included\nsuch tests as necessary using the performance auditing standards to accomplish\nthe audit objectives stated above.\n\n       The scope of our audit included reviewing the DOJ Chief Information\nOfficer\xe2\x80\x99s 18 Information Technology Security Standards; the DOJ\xe2\x80\x99s Security\nProgram Operating Manual; Executive Orders 12333, 12958, and 13231; DOJ\nOrders 2640.2E and 2620.7; applicable sections of the Federal Information\nSecurity Management Act of 2002; applicable sections of the Clinger-Cohen Act;\nNIST Publications 800-37 and 800-59; applicable sections of the National\nInformation Assurance Certification and Accreditation Process (NIACAP);\nDirector of Central Intelligence Directives, DCIDs 6/3 and 6/9; Federal\nInformation Processing Standards Publication 197; Office of Management and\nBudget Circular A-130; 5 CFR Part 930; and 18 U.S.C. 2510.\n\n      During our initial discussions with the Department\xe2\x80\x99s Deputy Chief\nInformation Officer and the Assistant Director of the Security and Emergency\nPlanning Staff, they identified DOJ components that process classified\ninformation using portable computers. Based on their recommendations of\ncomponents that process classified information, we selected the Drug\nEnforcement Administration, the Federal Bureau of Investigation, and the\nExecutive Office for United States Attorneys to discuss the use of portable\ncomputers for processing classified information.\n\n      We extended our interviews beyond the DOJ in order to determine how\nother federal agencies address the storing and processing of classified\ninformation using portable computers. Based on meetings with staff from SEPS\nand the Chief Information Officer\xe2\x80\x99s office, we interviewed IT and security\npersonnel from the National Security Agency, the Central Intelligence Agency,\nand the Department of Energy. While conducting our interviews with staff at\nthe Central Intelligence Agency, they recommended we also contact the\nNational Reconnaissance Office within the Department of Defense.\n\n                                      21\n\x0c                                                              APPENDIX II\n\n       VOTING MEMBERS OF THE COMMITTEE ON\n           NATIONAL SECURITY SYSTEMS\n\n      The Acting Assistant Secretary of Defense for Networks and\nInformation Integration who is also the Department of Defense Chief\nInformation Officer currently chairs the quarterly meetings of the Committee\non National Security Systems. The following list contains the\nrepresentatives of the Committee on National Security Systems who have\nvoting privileges.\n\nCentral Intelligence Agency\nDefense Intelligence Agency\nDepartment of Commerce\nDepartment of Defense\nDepartment of Energy\nDepartment of Homeland Security\nDepartment of Justice\nDepartment of State\nDepartment of Transportation\nDepartment of Treasury\nFederal Bureau of Investigation\nGeneral Services Administration\nNational Security Agency\nNational Security Council\nOffice of Management and Budget\nUnited States Air Force\nUnited States Army\nUnited States Joint Chiefs of Staff\nUnited States Marine Corp\nUnited States Navy\n\n\n\n\n                                      22\n\x0c     APPENDIX III\n\n\n\n\n23\n\x0c     APPENDIX III\n\n\n\n\n24\n\x0c     APPENDIX III\n\n\n\n\n25\n\x0c     APPENDIX III\n\n\n\n\n26\n\x0c     APPENDIX III\n\n\n\n\n27\n\x0c     APPENDIX III\n\n\n\n\n28\n\x0c     APPENDIX III\n\n\n\n\n29\n\x0c     APPENDIX III\n\n\n\n\n30\n\x0c     APPENDIX III\n\n\n\n\n31\n\x0c     APPENDIX III\n\n\n\n\n32\n\x0c     APPENDIX III\n\n\n\n\n33\n\x0c     APPENDIX III\n\n\n\n\n34\n\x0c     APPENDIX III\n\n\n\n\n35\n\x0c     APPENDIX III\n\n\n\n\n36\n\x0c     APPENDIX III\n\n\n\n\n37\n\x0c     APPENDIX III\n\n\n\n\n38\n\x0c     APPENDIX III\n\n\n\n\n39\n\x0c     APPENDIX III\n\n\n\n\n40\n\x0c     APPENDIX III\n\n\n\n\n41\n\x0c     APPENDIX III\n\n\n\n\n42\n\x0c     APPENDIX III\n\n\n\n\n43\n\x0c     APPENDIX III\n\n\n\n\n44\n\x0c     APPENDIX III\n\n\n\n\n45\n\x0c     APPENDIX III\n\n\n\n\n46\n\x0c     APPENDIX III\n\n\n\n\n47\n\x0c     APPENDIX IV\n\n\n\n\n48\n\x0c     APPENDIX IV\n\n\n\n\n49\n\x0c     APPENDIX IV\n\n\n\n\n50\n\x0c     APPENDIX IV\n\n\n\n\n51\n\x0c     APPENDIX IV\n\n\n\n\n52\n\x0c                                                               APPENDIX V\n\n        OFFICE OF THE INSPECTOR GENERAL,\n                 AUDIT DIVISION,\n        ANALYSIS AND SUMMARY OF ACTIONS\n           NECESSARY TO CLOSE REPORT\n\nRecommendation Number:\n\n1.   Resolved. The Office of the Chief Information Officer (OCIO) agreed\n     with our recommendation. The OCIO will revise Standard 1.6 to\n     remove any reference to statutes, policies, or procedures that is not\n     applicable to classified information processing. The OCIO expects that\n     the next revision of Standard 1.6 will be finalized by the end of\n     September 2005. To close this recommendation, the OCIO should\n     provide us a draft copy of the of the Standard 1.6 revision.\n\n2.   Resolved. The OCIO agreed with our recommendation. The OCIO\n     will revise Standard 1.6 to address systems according to policy from\n     the Committee on National Security Systems (CNSS) for Classified\n     National Security Information independently from the Director of\n     Central Intelligence Directives for Sensitive Compartmented\n     Information (SCI). The OCIO stated that the Standard 1.6 revision will\n     indicate the requirements applicable to both non-SCI and SCI\n     computers. To close this recommendation, the OCIO should provide\n     us a draft copy of the of the Standard 1.6 revision.\n\n3.   Resolved. The OCIO agreed with our recommendation. The OCIO\n     will revise Standard 1.6 to indicate what policies apply when classified\n     portable computers are allowed to be connected to classified networks.\n     The OCIO stated that it will add a statement identifying relevant\n     policies to connect classified portable computers to classified networks\n     to the revised Standard 1.6. To close this recommendation, the OCIO\n     should provide us a draft copy of the of the Standard 1.6 revision.\n\n4.   Resolved. The OCIO agreed with our recommendation. The OCIO\n     will revise Standard 1.6 to both reference Attachment 2 (Security\n     Acknowledgement Statement for System Administrators) and delineate\n     the process used to review the security configuration by independent\n     testers and validate system security by certification agents. To close\n     this recommendation, the OCIO should provide us a draft copy of the\n     of the Standard 1.6 revision.\n\n                                    53\n\x0c                                                                  APPENDIX V\n\n5.   Resolved. The OCIO agreed with our recommendation. The OCIO\n     will revise Standard 1.6 to reference Attachment 5 (Sample Classified\n     Computer Usage Log) and provide written instructions for the\n     preparation and retention of the log. The OCIO also stated that a\n     reference to Attachment 5 will require use of the log and allow an\n     Authorizing Official to accept the risk for not using the log after a risk-\n     based decision. To close this recommendation, the OCIO should\n     provide us a draft copy of the of the Standard 1.6 revision.\n\n6.   Resolved. The OCIO agreed with our recommendation. The OCIO\n     will revise Standard 1.6 to include the use of removable hard drives\n     for processing both classified and unclassified information on the same\n     portable computer by using two separate removable hard drives. To\n     close this recommendation, the OCIO should provide us a draft copy of\n     the Standard 1.6 revision.\n\n7.   Resolved. The OCIO agreed with our recommendation. The OCIO\n     will revise Standard 1.6 to encourage components to use an\n     accreditation process for non-networked classified computers. To do\n     this, the OCIO will add a section to Standard 1.6 addressing\n     accreditation requirements and endorsing the concept of type\n     accreditation for non-networked classified computers. Additionally, the\n     OCIO stated that a revised Standard 1.6 will allow components the\n     flexibility to incorporate appropriate additional safeguards to protect\n     classified computers from unauthorized access. To close this\n     recommendation, the OCIO should provide us a draft copy of the\n     Standard 1.6 revision.\n\n8.   Resolved. The OCIO agreed with our recommendation. In July 2005,\n     the OCIO will contact the National Security Agency (NSA) to determine\n     the current status of initiatives developing encryption standards for\n     data stored on classified computers. Additionally, the OCIO will revise\n     Standard 1.6 to reference both CNSS and NSA encryption standards.\n     To close this recommendation, the OCIO should inform us of the\n     outcome of NSA discussions regarding standards for data stored in\n     classified computers and provide us a draft copy of the Standard 1.6\n     revision.\n\n9.   Resolved. The OCIO agreed with our recommendation. The OCIO\n     will revise Standard 1.6 to address limiting classified data on hard\n     drives. To close this recommendation, the OCIO should provide us a\n     draft copy of the Standard 1.6 revision.\n\n                                      54\n\x0c                                                               APPENDIX V\n\n10.   Resolved. The OCIO agreed with our recommendation. In July 2005,\n      the OCIO will send a request to the Department of Homeland Security\n      (DHS) Science and Technology Directorate to request guidance\n      regarding mechanisms to securely notify system administrators when\n      classified hard drives are connected to the Internet. To close this\n      recommendation, the OCIO should inform us of the outcome of the\n      DHS request.\n\n11.   Resolved. The OCIO agreed with our recommendation. In July 2005,\n      the OCIO will send a request to the DHS Science and Technology\n      Directorate regarding tracking mechanisms. However, the OCIO\n      commented that tracking mechanisms appear to require substantial\n      infrastructure that may not be justified to track a limited number of\n      classified computers. To close this recommendation, the OCIO should\n      inform us of the outcome of the Department of Homeland Security\n      concerning tracking mechanisms.\n\n12.   Closed. The OCIO agreed with our recommendation. The OCIO\n      indicated that the Security Program Operating Manual (SPOM) now\n      addresses the labeling of computers using removable drives to switch\n      between classified and unclassified operations. Different banners will\n      be displayed on computer screens for unclassified and classified\n      processing.\n\n\n\n\n                                     55\n\x0c'